| Beschreibung: | Summary:
The remote host is missing an update for the 'imagemagick, ruby-rmagick' package(s) announced via the MGASA-2016-0188 advisory.
Vulnerability Insight:
It was discovered that ImageMagick did not properly sanitize certain input
before passing it to the delegate functionality. A remote attacker could
create a specially crafted image that, when processed by an application
using ImageMagick or an unsuspecting user using the ImageMagick utilities,
would lead to arbitrary execution of shell commands with the privileges of
the user running the application (CVE-2016-3714).
It was discovered that certain ImageMagick coders and pseudo-protocols did
not properly prevent security sensitive operations when processing
specially crafted images. A remote attacker could create a specially
crafted image that, when processed by an application using ImageMagick or
an unsuspecting user using the ImageMagick utilities, would allow the
attacker to delete, move, or disclose the contents of arbitrary files
(CVE-2016-3715, CVE-2016-3716, CVE-2016-3717).
A server-side request forgery flaw was discovered in the way ImageMagick
processed certain images. A remote attacker could exploit this flaw to
mislead an application using ImageMagick or an unsuspecting user using the
ImageMagick utilities into, for example, performing HTTP(S) requests or
opening FTP sessions via specially crafted images (CVE-2016-3718).
The imagemagick package has been updated to version 6.9.4-2 to fix these
issues and several other bugs.
Affected Software/OS:
'imagemagick, ruby-rmagick' package(s) on Mageia 5.
Solution:
Please install the updated package(s).
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
